Re: [TLS] DSA should die

David Benjamin <davidben@chromium.org> Wed, 01 April 2015 19:53 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDBB11A903D for <tls@ietfa.amsl.com>; Wed, 1 Apr 2015 12:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.212
X-Spam-Level: *
X-Spam-Status: No, score=1.212 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGnmfY6mPhwo for <tls@ietfa.amsl.com>; Wed, 1 Apr 2015 12:53:19 -0700 (PDT)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C1711A9025 for <tls@ietf.org>; Wed, 1 Apr 2015 12:53:19 -0700 (PDT)
Received: by iedm5 with SMTP id m5so52710506ied.3 for <tls@ietf.org>; Wed, 01 Apr 2015 12:53:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=t7399b/pXF/6X/swXFrcpmeZfK2PPufYwupvzdghvyk=; b=JjGqsQBTgqkQWuUXIUJ6Su1NnoZ5g74QDIhV133523rBAA2+8MLcmCj85XL1+OUbd1 eAj7NgXIDji5EUzLHiE5yq3N/jgYQMUZ6F5M09ZxF2vJEK4mNBjwFKv6vcad0RilU+Lc smOw58x4BceLNSjkpkgP5NNjgvtODBIeN9AK0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=t7399b/pXF/6X/swXFrcpmeZfK2PPufYwupvzdghvyk=; b=GQfyBQBKY4Gmz0TOMknlvA1MgzZHWHhsLvuxpuaZppt8D+iC39JfqTK8uPaQKw6YD1 S5pB28pacKfFzeJqrs2BBe7m4Bij9cssSNizd1fHa7Nfa34YxV0iqWMyCtijm4oMmjYT rCG8jEJk7RNMSpn8wrETsMtkA/uxD9FAtJh6RUC5UsmroNxhx+XL9k7HfOVm3VkxYUt1 tkWYGqNQKZ6UQGhMvFn4YsdLN4gNk5SHQKURcJzglMYaUUEj8GKsQ4uV7ztVmkYL8DKY E/iOeKpn4woAu4hxSibX49nZPx+3QNbAe9jJTRl0L6NlNDvwor/Yl73gJheM5qNTeBob Hv3Q==
X-Gm-Message-State: ALoCoQl5dhvE1la9NLgisyA7kVZuKuwB4G3T5sdGpdOdrKZyh8d8mVYvDf1oyrnOdiKYsyo/+68B
X-Received: by 10.42.88.206 with SMTP id d14mr76246991icm.40.1427917998681; Wed, 01 Apr 2015 12:53:18 -0700 (PDT)
MIME-Version: 1.0
References: <20150401201221.163745c2@pc1.fritz.box>
In-Reply-To: <20150401201221.163745c2@pc1.fritz.box>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 01 Apr 2015 19:53:18 +0000
Message-ID: <CAF8qwaDtDE9w=yf2dP3dHzkWcNm3mAWtwChqK_OgvgPMPG3BOw@mail.gmail.com>
To: Hanno Böck <hanno@hboeck.de>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="90e6ba3fcb83149ab90512af11c8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EhnpTkOXTKd8R1ecFC9C1YxwRwg>
Subject: Re: [TLS] DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 19:53:21 -0000

DSA has also been removed from Chrome, so that's two major browsers.
(Chrome/Android saw it gone in October and Chrome/Windows last month.)
There's been a couple reports of servers using self-signed DSA certs for
some reason, but otherwise nothing. Before that, usage was in the noise.
Seems a safe thing to prune.

David

On Wed, Apr 1, 2015 at 2:12 PM Hanno Böck <hanno@hboeck.de> wrote:

> Hi,
>
> Mozilla just removed DSA support from Firefox. It seems the use of
> (non-ecc) DSA in TLS is pretty much nonexistent. Still the TLS 1.3 draft
> contains DSA.
>
> Proposal: DSA should go away and not be part of TLS 1.3.
>
> Reasons to remove DSA:
> * DSA with 1024 bit is considered weak and DSA with more than 1024 bit
>   is widely unsupported.
> * DSA has comparable security to RSA (it using same keysize) which is
>   the de-facto-default. Given that everybody uses RSA and nobody uses
>   DSA having the latter only adds unneccessary complexity.
> * DSA can fail badly with bad random number generators.
>
> Some numbers:
> In the 2013 https ecosystem scan there were 17 DSA keys on public IPs,
> none of them CA-trusted:
> http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
>
> I think it's safe to say nobody will care if DSA is removed.
>
> cu,
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno@hboeck.de
> GPG: BBB51E42
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>